Initial cf-replace

1 files changed, 52 insertions, 0 deletions

diff --git a/ssh-keys.sh b/ssh-keys.sh
new file mode 100644
index 0000000..68f8d0c
--- /dev/null
+++ b/ssh-keys.sh
@@ -0,0 +1,52 @@
+#!/usr/bin/env bash
+## check if ldapsearch is installed
+if ! which ldapsearch >> /dev/null; then
+  if ! apt-get install -y -qq ldap-utils >> /dev/null; then
+    echo "Failed to install ldap-utils"
+    exit 1
+  fi
+fi
+
+DRY_RUN=false
+if [ "$1" == "-n" ]; then
+  DRY_RUN=true
+fi
+
+sunetEmpl="leif leifj lundberg linus per john"
+ignoreList="ndn-eduix nunoc"
+for userHome in /home/*; do
+  user=$(basename "$userHome")
+  keys_raw=$(/usr/bin/ldapsearch -o nettimeout=5 -o ldif-wrap=no -LLL -x -H "ldap://ldap1.nordu.net" -b "ou=people,dc=nordu,dc=net" "(&(employeeType=employee)(memberof=cn=ndn-sysadmin,ou=groups,dc=nordu,dc=net)(sshPublicKey=*)(uid=$user))" sshPublicKey)
+  search_status=$?
+
+  if [ "$search_status" -ne 0 ]; then
+    echo "Ldap search failed for $user with status $search_status, ignoring"
+    continue
+  fi
+
+  keys=$(echo "$keys_raw" | grep '^sshPublicKey' | cut -f 2- -d' ')
+  authorized_keys="/home/$user/.ssh/authorized_keys"
+  if grep -q "$user" <<< "$sunetEmpl"; then
+    # skip SUNET people
+    keys=""
+  fi
+  if grep -q "$user" <<< "$ignoreList"; then
+    # skip certain users
+    continue
+  fi
+  if [ -n "$keys" ]; then
+    # write authorized_keys
+    if $DRY_RUN; then
+        echo "$user"
+    else
+      echo "$keys" > "$authorized_keys"
+    fi
+   else
+   # blank authorized_keys
+    if $DRY_RUN; then
+      echo "!$user"
+    else
+      echo "" > "$authorized_keys"
+    fi
+  fi
+done